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DETAILED ACTION 

1 . This office action is in response to the communication filed on 04/01/2004. 

2. Claims 1-33 are currently presented for the examination. 

3. Claims 1-33 have been rejected. 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all obviousness 

rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are such that 
the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary 
skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the 
invention was made. 

4. Claims 1-3, 9-12, 24, 28 and 29 are rejected under 35 USC 103 (a) as being 
unpatentable over Upton (US 20030097574 Al) in view of Beck et al (2004/0088349 Al). 

Regarding claim 1, Upton discloses a system to provide application-to-application 
enterprise security, the system comprising: 

a security application program interface coupled to a client application operable on a 
first operating system to provide a security credential (Par [0061]-[0074], [0127]-[0130]; 
Claims 1 and 12; client application/ interface); 

an authentication authority (Par [01 15],[0128]-[0130], [0145]-[0147]; security 
services; authentication/ authorization SPI) operable to receive the security credential from 
the security application program interface, the authentication authority further operable to 
communicate the token to the security application program interface where the security 
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credential is valid (Fig 4; Par [0104], [01 14], [0130], [0150]; Claims 1,12; service provider 
interface/ SPI; checking public/ password type, or generic/ token type credentials). 

a store maintaining data operable to validate the security credential, the store in 
communication with the authentication authority to validate the security credential (Par 
[0065]-[0066]; storing credential/ passwords); 

an application program interface coupled to the client application, the application 
program interface operable to communicate regarding the token (Par [0061]-[0074], [0104], 
[01 14], [0130], [0150]; claims 1,12; client application/ interface using credentials/ token for 
mapping/ authentication) and 

a server application operable on a second operating system to receive the token from 
the application program interface, the server application operable to communicate with 
the authentication authority to validate the token to enable the client application to 
use services of the server application (Par [0104], [0114]-[0116], [0130]; Claims 1,12; 3 rd 
party validating/ authenticating credentials). 

Although Upton discloses use of a token as credentials (Par [0150]), and it would be 
further logically obvious to an ordinary skill in art to generate the token , Upton fails to 
disclose expressly the authentication authority further operable to generate a token. 

However, Beck et al discloses the authentication authority further operable to 
generate a token (Par [0024]; generating the token that would be used for authentication). 

Beck et al and Upton are analogous art because they are from the same field of 
authentication for network/ enterprise services. At the time of invention, it will be obvious to 
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a person with ordinary skill in the art to combine the teaching of Becketal with Upton to 
design the system wherein the authentication authority further operable to generate a token in 
order to facilitate a token based authentication. 

Regarding claim 9, it is rejected applying as above rejecting claim 1, furthermore, 
Upton discloses A method for providing application-to-application enterprise security, the 
method comprising: 

communicating a security credential from a client application operable on a first 
operating system to an authentication authority (Par [0061]-[0074], [0127]-[0130], [0130], 
[0150]; Claims 1,12; client application/ interface providing credentials; service provider interface/ 
SPI authenticating public/ password type, or generic/ token type credentials); 

communicating information related to the security credential between the 
authentication authority and a data store to determine whether the security credential is valid; 
(Par [0104], [01 14], [0130], [0150]; Claims 1,12; service provider interface/ SPI; validating/ 
authenticating credentials); 

communicating the token to the client application; providing, by the client application, 
the token to a server application, the server application operable on a second operating system 
(Par [0061]-[0074], [0127]-[0130], [0130], [0150]; Claims 1,12; client application/ interface 
providing credentials; service provider interface/ SPI authenticating public/ password type, or 
generic/ token type credentials) ; and 
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validating, by the server application, the token before providing access to services of 
the server application by the client application (Par [0104], [01 14]-[01 16], [0130]; Claims 
1 , 1 2 ; 3 party validating/ authenticating credentials) . 

Upton fails to disclose expressly generating a token by the authentication authority 
when the security credential is valid. 

However, Beck et al discloses generating a token by the authentication authority when 
the security credential is valid (Par [0024]; generating the token that would be used for 
authentication). 

Regarding claim 28, it recites the limitations of claims 1 and 9, therefore, it is rejected 
applying as above rejecting claim 1 and 9. 

Regarding claim 2, Upton discloses the system of Claim 1, wherein the server 
application further comprises: an application program interface to communicate with the 
application program interface of the client application (Par [0061]-[0074], [0127]-[0130]; Claims 
1 and 12; client application/ interface); and a security application program interface to 
communicate with the authentication authority (Par [01 15],[0128]-[0130], [0145]-[0147]; 
security services; authentication/ authorization SPI). 



Regarding claim 3, Beck et al discloses wherein the server application is operable to 
cache the token after validating the token with the authentication authority such that when the 
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client application requests service of the server application, via the application program 
interfaces of the client application, the server application uses the cached token to validate the 
client application (Par [0018]-[0120]; using generated/ stored token for authentication). 

Regarding claims 10-12 and 29, they recite the limitations of claims 1-3, 9 and 28, 
therefore, they are rejected applying as above rejecting claims 1-3, 9 and 28. 

Regarding claim 24, Upton discloses wherein the security credential is further defined 
as including a password and user identification (Par [0061]-[0074], [0150]). 

5. Claims 4-7, 13-14, 16-19, 21-23 and 30-33 are rejected under 35 USC 103 (a) as 
being unpatentable over Upton (US 20030097574 Al) in view of Beck et al (2004/0088349 
Al) further in view of Gurevich et al (2002/0178370 Al). 

Regarding claim 4, modified Beck et al -Upton system fails to disclose wherein 
the token generated by the authentication authority comprises a string including at least a 
portion of the security credential. 

However, Gurevich et al discloses wherein the token generated by the authentication 
authority comprises a string including at least a portion of the security credential (Par [0057]; 
claims 11,23). 

Gurevich et al and Upton are analogous art because they are from the same field of 
authentication for network/ enterprise services. At the time of invention, it will be obvious to 
a person with ordinary skill in the art to combine the teaching of Gurevich et al with 
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modified Beck et al -Upton to design the system wherein the token generated by the 
authentication authority comprises a string including at least a portion of the security 
credential in order to provide alternative token generation method. 

Regarding claim 5 and 6, Gurevichetal discloses wherein at least a portion of the 
token is in Extensible Markup Language format (Par [0071], [0076], [0081]; token in XML 
format). 

Regarding claim 7, Beck et al discloses wherein the token includes information 
related to an expiration date of the token (Par [0003]-[0005]; claims 1 1, 20). 

Regarding claims 13-14, 16-19 and 21-23, they recite the limitations of claims 4-7 and 
9, therefore, they are rejected applying as above rejecting claims 4-7 and 9. 

Regarding claims 30-33, they recite the limitations of claims 4-7 and 28, therefore, 
they are rejected applying as above rejecting claims 4-7 and 28. 



6. Claims 8 and 15 are rejected under 35 USC 103 (a) as being unpatentable over Upton 
(US 20030097574 Al) in view of Beck et al (2004/0088349 Al) further in view of Laferriere 
eta! (US 2005/0188212 Al). 
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Regarding claim 8, modified Beck et al -Upton system fails to disclose wherein 
wherein validating the token by the authentication authority includes determining whether the 
authentication authority created the token. 

However, Laferriere et al discloses wherein the token generated by the authentication 
authority comprises a string including at least a portion of the security credential (Par [0012]- 
[0023]; claims 1,14). 

Laferriere et al and Upton are analogous art because they are from the same field of 
authentication for network/ enterprise services. At the time of invention, it will be obvious to 
a person with ordinary skill in the art to combine the teaching of Laferriere et al with 
modified Beck et al -Upton to design the system wherein the token generated by the 
authentication authority comprises a string including at least a portion of the security 
credential in order to provide with better data/ credential security. 

Regarding claim 15, it recites the limitations of claim 8 and 9, therefore, it is rejected 
applying as above rejecting claims 8 and 9. 

7. Claims 20 and 25 are rejected under 35 USC 103 (a) as being unpatentable over 
Upton (US 20030097574 Al) in view of Beck et al (2004/0088349 Al) further in view of 
Gurevich et al (2002/0178370 Al) further in view of Favazzaetal (US 20040139319 Al). 

Regarding claim 20, modified Beck et al -Upton system fails to disclose wherein the 
token is encrypted. 
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However, Favazza et al discloses wherein the token is encrypted (Par [0039], [0050]). 

Favazza et al and Upton are analogous art because they are from the same field of 
authentication for network/ enterprise services. At the time of invention, it will be obvious to 
a person with ordinary skill in the art to combine the teaching of Favazza et al with modified 
Beck et al -Upton to design the system wherein the token is encrypted in order to provide 
further credential security. 

Regarding claim 25, it recites the limitations of claim20 and 24, therefore, it is rejected 
applying as above rejecting claims 20 and 24. 

8. Claims 26-27 are rejected under 35 USC 103 (a) as being unpatentable over Upton 
(US 20030097574 Al) in view of Beck et al (2004/0088349 Al) further in view of Favazza et 
al (US 200401393 19 Al). 

Regarding claim 26, Upton discloses data store is a certificate authority (Par [0076]- 
[0077]), however, modified Beck et al -Upton system fails to disclose wherein the security 
credential is an X.509 certificate. 

However, Favazza et al discloses w wherein the security credential is an X.509 
certificate (Par [0039], [0050]). 

Favazza et al and Upton are analogous art because they are from the same field of 
authentication for network/ enterprise services. At the time of invention, it will be obvious to 
a person with ordinary skill in the art to combine the teaching of Favazza et al with modified 
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c 

Beck et al -Upton to design the system wherein the security credential is an X.509 certificate 
to provide alternative secure credentials. 

Regarding claim 27, it is rejected applying as above rejecting claim 26, furthermore, 
Upton discloses communicating the X.509 certificate from the authentication authority to the 
certificate authority (Par [0073], [0076]-[0077]); validating the certificate by the certificate 
authority; and communicating validation information to the authentication authority (Par 
[0073], [0076]-[0077]). 

however, modified Beck et al -Upton system fails to disclose wherein the security 
credential is an X.509 certificate. 

However, Favazza et al discloses wherein the security credential is an X.509 
certificate (Par [0039], [0050]). 

Conclusion 

9. A shortened statutory period for response to this action is set to expire in 3 (Three) 
months and 0 (Zero) days from the mailing date of this letter. Failure to respond within the 
period for response will result in ABANDOMENT of the application (see 35 U.S.C 133, 
M.P.E.P 710.02(b)). 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Shanto M Abedin whose telephone number is 571-272-3551. 
The examiner can normally be reached on M-F from 9:00 AM to 5:30 PM. If attempts to 
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reach the examiner by telephone are unsuccessful, the examiner's supervisor, Moazzami 
Nasser, can be reached on 571-272-4195. The fax phone number for the organization where 
this application or proceeding is assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published 
applications may be obtained from either Private PAIR or Public PAIR. Status information 
for unpublished applications is available through Private PAIR only. For more information 
about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access 
to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 
(toll-free). 



ShantoM Abedin 




Examiner, AU2136 




